You need to carry the CA certificates with your application then, or you can load them from the system storage in some way.

On Linux those certificates are stored in OpenSSL files, but unfortunately in different locations in different distros). On Windows they are in Windows Certificate Storage. On MacOS they are ni its own storage (not accessible from Java edition at the moment).

For example, you can export CA certificates from Windows and keep them in one file, and then export ROOT certificates and keep them in another file. When it comes to validation, you use AddKnownCertificates and AddTrustedCertificates respectively to add those certificates to the validator.

I've a question : is the root certificates must come with private keys ?
Or certificates with public key is enough ?

When you say "you can export CA certificates from Windows and keep them in one file, and then export ROOT certificates and keep them in another file."
what is the format where i chave to put certificates ? PKCS7 ? with password protection ?
So that is what i need to ask to my customer :
- CA Certificates in a PKCS#7 file
- ROOT Certificates in another PKCS#7 file

could he do that from its PKI ?

Sorry, i've a lot of questions, but i thought that only one single certificate will be enough

Yann Fontaine wrote:
I've a question : is the root certificates must come with private keys ? Or certificates with public key is enough ?

Root and CA certificates never come with private keys.

Quote

Yann Fontaine wrote:
When you say "you can export CA certificates from Windows and keep them in one file, and then export ROOT certificates and keep them in another file." what is the format where i chave to put certificates ? PKCS7 ? with password protection ?

Yes, PKCS#7 format is the most common.

Quote

Yann Fontaine wrote:
could he do that from its PKI ?

Depends on what you mean by "his PKI". In Windows one can export the set of certificates but I am not sure about options to export all certificates in the store. By writing some code you can save all CA or all ROOT certificates to PKCS7 file using a call to TElWinCertStorage.SaveToStreamPKCS7() method.

When searching about ROOT and Intermediate certificates, i checked all certificates given by the customer.
And found that one intermediate certificate was missing.
I asked the customer for this certificate, and after that, load all certificates in validator.
And now it's running fine !

Thanks a lot for your help about this topic, and other ones (PDF signature, ..)

We use cookies to help provide you with the best possible online experience. By using this site, you agree that we may store and access cookies on your device. You can find out more about and set your own preferences here.